Cyber security analysts at CyberNews – a leading cyber security news and analysis website) have blasted PayPal (NASDAQ: PYPL) for failing to fix major vulnerabilities that allow hackers to quickly drain users’ bank accounts.
CyberNews analysts first privately alerted PayPal to six vulnerabilities in the first half of January through its bug-reporting system. Three were fixed, but the most serious three are still unfixed – with PayPal denying that two are its responsibility to tackle.
Bernard Meyer, the Senior Researcher at CyberNews who undertook the research, says: “We are making these vulnerabilities public to warn its 305 million account holders and compel PayPal to fix them before hackers exploit these security flaws. There is no reason why this cannot be done almost immediately given the size of their resources.
“If you read its blurb, you will think that PayPal gives a lot of money to ethical hackers that find bugs. For instance, in 2018 PayPal announced a maximum bug bounty of $30,000 – a pretty nice sum.
“But the reality is somewhat different. For instance, when our analysts discovered six vulnerabilities in PayPal that put its millions of users’ money at risk, we were met with unresponsive staff, vague responses and often denial.
“When we pushed, its team then removed points from our Reputation score, relegating our profiles on its system to a suspicious, spammy level. This happened even though issues we raised were subsequently patched: although we received no bounty, credit, nor even a thanks. Instead, we were worse off than if we hadn’t said anything! Nor we the only ethical hackers to experience this.”
About the vulnerabilities:
Bernard says: “It is well known that PayPal users’ access details – their email address and passwords – are widely available on the internet’s Dark Web. Often it is because people ignore advice and use the same password for various websites, and sometimes because their computer is infected with keystroke malware that detects valuable passwords.
“Because of this PayPal and other sites such as Amazon and banks use two-factor authentication so if an important change is made to the account this is double-checked, for instance through a security code being texted to the user’s mobile phone.
“We alerted it last month that this double-check can currently be bypassed in PayPal, rendering it ineffective to any hacker who gains a person’s email and PayPal password – which are sadly available right now on the Dark Web for as little as $1.50 {£1.16} each. Sadly, its response to us was to say it wasn’t an issue for them to rectify.”
Bernard adds: “Our expectation is that PayPal will quickly fix these problems now we are shining a light on them.
“Your best defence is to have a unique password for PayPal and to have up-to-date paid for, not free, anti-virus software. Note that even Android smartphones can pick up viruses.
“If still concerned, PayPal account holders, which number over 305 million worldwide, should consider getting a “virtual credit card” (VCC). These are well-established and allow you to spend online while protecting your card details, even if hackers get into your account. Most banks and card-providers provide these. Also there are multiple services, such as privacy.com, that protect your card details and also allow you to set caps on how much can be purchased from different vendors.
“Keeping a one-time use VCC for payments, or turning it off after your shopping spree is completed, prevents hackers from accessing your funds even if they get into your PayPal account.
“Besides that, we recommend people should never hold any balance in PayPal or any other payment system, except for your bank. This is because scammers target users even with very small amounts on their PayPal account. If you don’t have money in your PayPal account, hackers won’t have any motivation to target you and will move onto someone else.
“Finally, make sure you don’t link your cards as, if your PayPal account is accessed, then a scammer can top it up and get their hands-on the money from you bank or credit card.”
The vulnerabilities identified by CyberNews (that are still a threat to users):
What the hacker can do | What a hacker needs to exploit it | What would be the impact on a victim | Date reported by CyberNews to the PayPal team | Is it still live or fixed? | |
#1
Bypassing PayPal’s two-factor authentication (2FA) |
Get into your account and steal your money. | Your email and password (available to buy on Dark Web for as low as $1.50) | Hacker can keep spending until victim’s bank account empty, connected credit card maxed out, or victim notices their money disappearing | 10 January | This vulnerability is still live. |
#2 Phone verification without One-Touch Password | Hackers don’t need to verify their phones, which makes it easier to create fraudulent accounts. | Your email and password (available to buy on Dark Web for as low as $1.50) | For hacked accounts, it makes it very hard for victims to get their accounts back: since the phone number has been changed and they can’t confirm it’s theirs. | 13 January | This vulnerability is still live. |
#3 Overcoming PayPal’s automatic security measures (that trigger when suspicious activities occur) | Hackers can easily bypass security features designed to prevent suspicious transaction and other activities | Your email and password (available to buy on Dark Web for as low as $1.50) | Hacker can keep spending until the victim’s bank account empty, connected credit card maxed out, or victim notices their money disappearing | Jan. 13 via HackerOne | The vulnerability is still live. |
Other vulnerabilities raised by CyberNews that have been fixed (no “thank you” has been received ☹)
What the hacker can do | What a hacker needs to exploit it | What would be the impact on a victim | When reported by CyberNews to PayPal team | When fixed / Is it still live? | |
Full name change | Hackers can change the name on PayPal accounts they hijack. | Your email and password (available to buy on Dark Web for as low as $1.50) | After the victim notices that their account has been compromised, they wouldn’t be able to get it back since it is no longer in their name. | 10 January | This issue is now fixed. |
Self-help SmartChat vulnerability on PayPal | Hackers could enter and execute malicious code in PayPal’s system to impersonate PayPal and chat to users | Malicious code | With the right code, hackers could pretend to be a customer support agent, chat with real users and get sensitive information about them, leading to stolen funds, private information and more. | 16 January | Although PayPal’s team told us this a non-issue, they still fixed the vulnerability! |
Security questions persistent XSS | Hackers can inject scripts in stolen accounts and steal data. | Your email and password (available to buy on Dark Web for as low as $1.50) | Hackers can change the email where your money is being sent, steal credit card information, or get you to install malware. | 15 January | Although PayPal’s team said they considered this a duplicate, they still fixed the vulnerability the same day we reported it. |
About CyberNews
CyberNews.com provides the latest tech news, product reviews, and analysis to guide its readers worldwide through the ever-expanding land of technology, and particularly to help them navigate the risks from hackers, malware and misuse of personal data.